Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Similar presentations


Presentation on theme: "Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang."— Presentation transcript:

1 Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang

2 2 What’s DIFANE? Traditional enterprise – Hard to manage – Limited policies – Distributed Flow-based networking – Easy to manage – Support fine-grained policy – Scalability remains a challenge DIFANE: A scalable way to apply fine-grained policies in enterprises DIFANE: A scalable way to apply fine-grained policies in enterprises

3 HTTP Access control – Drop packets from malicious hosts Customized routing – Direct Skype calls on a low-latency path Measurement – Collect detailed HTTP traffic statistics Flexible Policies in Enterprises 3 HTTP

4 Flow-based Switches Install rules in flow-based switches – Store rules in high speed memory (TCAM) Perform simple actions based on rules – Rules: Match on bits in the packet header – Actions: Drop, forward, count 4 drop forward via link 1 Flow space src. dst.

5 Challenges of Policy-Based Management Policy-based network management – Specify high-level policies in a management system – Enforce low-level rules in the switches Challenges – Large number of hosts, switches and policies – Limited TCAM space in switches – Support host mobility – No hardware changes to commodity switches 5

6 Pre-install Rules in Switches 6 Packets hit the rules Forward Problems: – No host mobility support – Switches do not have enough memory Pre-install rules Controller

7 Install Rules on Demand (Ethane, NOX) 7 First packet misses the rules Buffer and send packet header to the controller Install rules Forward Controller Problems: – Delay of going through the controller – Switch complexity – Misbehaving hosts

8 DIFANE: Combining Proactive & Reactive 8 Features Proactive Reactive( Ethane) DIFANE Host mobility Memory usage Keep packet in data plane Install rules

9 DIFANE Architecture (two stages) 9 DIstributed Flow Architecture for Networked Enterprises

10 Stage 1 10 The controller proactively generates the rules and distributes them to authority switches.

11 Partition and Distribute the Flow Rules 11 Ingress Switch Egress Switch Distribute partition information Authority Switch A AuthoritySwitch B Authority Switch C reject accept Flow space Controller Authority Switch A Authority Switch B Authority Switch C

12 Stage 2 12 The authority switches keep packets always in the data plane and reactively cache rules.

13 Following packets Packet Redirection and Rule Caching 13 Ingress Switch Authority Switch Egress Switch First packet Redirect Forward Feedback: Cache rules Hit cached rules and forward A slightly longer path in the data plane is faster than going through the control plane

14 Locate Authority Switches Partition information in ingress switches – Using a small set of coarse-grained wildcard rules – … to locate the authority switch for each packet Distributed directory service but not DHT – Hashing does not work for wildcards – Keys can have wildcards in arbitrary bit positions 14 Authority Switch A AuthoritySwitch B Authority Switch C X:0-1 Y:0-3  A X:2-5 Y: 0-1  B X:2-5 Y:2-3  C X:0-1 Y:0-3  A X:2-5 Y: 0-1  B X:2-5 Y:2-3  C

15 Following packets Packet Redirection and Rule Caching 15 Ingress Switch Authority Switch Egress Switch First packet Redirect Forward Feedback: Cache rules Hit cached rules and forward

16 Three Sets of Rules in TCAM TypePriorityField 1Field 2ActionTimeout Cache Rules 21000**111*Forward to Switch B10 sec 209111011**Drop10 sec …………… Authority Rules 11000**001*Forward Trigger cache manager Infinity 10900010***Drop, Trigger cache manager …………… Partition Rules 150***000*Redirect to auth. switch 14… …………… 16 In ingress switches reactively installed by authority switches In ingress switches reactively installed by authority switches In authority switches proactively installed by controller In authority switches proactively installed by controller In every switch proactively installed by controller In every switch proactively installed by controller

17 Cache Rules DIFANE Switch Prototype Built with OpenFlow switch 17 Data Plane Control Plane Cache Manager Cache Manager Send Cache Updates Recv Cache Updates Only in Auth. Switches Authority Rules Partition Rules Just software modification for authority switches Notification Cache rules

18 Caching Wildcard Rules Overlapping wildcard rules – Cannot simply cache matching rules 18

19 Caching Wildcard Rules Multiple authority switches – Contain independent sets of rules – Avoid cache conflicts in ingress switch 19 Authority switch 1 Authority switch 2

20 Partition Wildcard Rules Partition rules – Minimize the TCAM entries in switches – Decision-tree based rule partition algorithm 20 Cut A Cut B Cut B is better than Cut A

21 Handling Network Dynamics 21 Network dynamics Cache rules Authority Rules Partition Rules Policy changes at controller TimeoutChange Mostly no change Topology changes at switches No change Change Host mobilityTimeoutNo change

22 Prototype Evaluation Evaluation setup – Kernel-level Click-based OpenFlow switch – Traffic generators, switches, controller run on separate 3.0GHz 64-bit Intel Xeon machines Compare delay and throughput – NOX: Buffer packets and reactively install rules – DIFANE: Forward packets to authority switches 22

23 Delay Evaluation Average delay (RTT) of the first packet – NOX: 10 ms – DIFANE: 0.4 ms Reasons for performance improvement – Always keep packets in the data plane – Packets are delivered without waiting for rule caching – Easily implemented in hardware to further improve performance 23

24 Peak Throughput One authority switch; Single-packet flow 24 2341 ingress switch Controller Bottleneck (50K) Controller Bottleneck (50K) DIFANE (800K) DIFANE (800K) Ingress switch Bottleneck (20K) Ingress switch Bottleneck (20K) DIFANE further increases the throughput linearly with the number of authority switches.

25 Scaling with Many Rules How many authority switches do we need? – Depends on total number of rules … and the TCAM space in these authority switches 25 CampusIPTV # Rules30K5M # Switches1.7K3K Assumed Authority Switch TCAM size 160 KB1.6 MB Required # Authority Switches 5 (0.3%)100 (3%)

26 Stepping back … 26

27 Distributed or Centralized? 27 logically-centralized in the management system Distributed amongst the network elements All functions in switches OpenFlow/NOX DIFANE Controller is still in charge Switches host a distributed directory of the rules DIFANE Controller is still in charge Switches host a distributed directory of the rules

28 Thanks! 28


Download ppt "Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang."

Similar presentations


Ads by Google